The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:

The iframe above contains the URL for the Rig-V User-Agent checking page.

The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V EK landing page. If the UA conditions are right then the host makes a POST request to the landing page URL.

For more information on the User-Agent checking page please refer to my previous blog postHERE.

The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.

Partial image of the server returning the landing pagePartial image of the server returning the Flash exploitPartial image of the server returning the payload

A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves. There are also some files created in the Roaming folder. Here is an image of the JS downloader, Cerber executable, and additional files:

Notice there is one other Cerber executable in %Temp% (rad53B1C.tmp.exe). This happened because I refreshed the compromised site an additional time and got the full infection chain. The filenames are different but the hash values were identical.

After infection the user would see a ransom note image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.

Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Contained within that folder are two additional files named after the next 8 characters of the GUID.

Example: xxxxxxxx-xxxx–xxxx-xxxx-xxxxxxxxxxxx

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.

The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.